Basic Reverse Engineering

It turns out that reverse engineering native iPhone apps (calc, mobile safari, mobile mail or anything that is on the phone by default and not from the app store) can be quite an involved process for those not familiar with the ARM architecture or Objective-C. Here I will give a brief introduction to the tools needed for the job and some links to further information.

Native applications are stored in the “/Applications” directory on the iPhone. In here you will find folders such as AppStore.app, MobileMail.app, MobileSafari.app, etc. These are the native applications. Beginning reverse engineering on these is very simple. For example, if we enter the MobileSafari.app directory, among other files we find the “MobileSafari” binary file. Open this with your favorite disassembler (HT Editor, IDA pro, etc) or use otool (arm-apple-darwin-otool if you have installed the desktop toolchain) with the -Vt option to dump the assembly.

Since the binaries run on the ARM platform, it is necessary to understand the ARM instruction-set. I have found the following links helpful:

Objective-C is a little bit of a different beast than it’s C counterpart. In the assembly you will see calls to sendmsg scattered throughout the entire program. This is really the way Objective-C calls class methods. Anyways, a basic knowledge of Objective-C is needed to understand the assembly. There are plenty of iPhone development books out there, which I’m sure are all fine. I am starting to read iPhone Open Application Development by Jonathan Zdziarski.

Another place to start reverse engineering on the iPhone is in the shared libraries. In “/usr/lib” we can find a bunch of dylib files. These are the libraries to start looking at and can be reversed as described above. There are also some interesting files in “/Library” we can look in to.